Kaminsky: DNS flaw capable of attacks on many fronts

By Robert Westervelt, News Editor 06 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

There's a reason why so many people had so many things to speculate about, because there's a ton of different paths that lead to doom. Dan Kaminsky, director of penetration testing, IOActive

LAS VEGAS -- Speaking to more than 1,000 security professionals at the Black Hat briefings, Dan Kaminsky outlined more than a dozen ways the DNS cache poisoning flaw could be used to cause widespread damage on internal and external servers.

Kaminsky's presentation Wednesday marked the first time the full details of the vulnerability were revealed since it was publicly disclosed July 8 in a massive coordinated patch release by multiple DNS vendors.

Kaminsky, director of penetration testing at IOActive Inc., said the vulnerability enables attackers to move beyond standard server or browser attacks and into attacks on applications that pull data from the Web -- making a DNS request -- without using a browser. Email, Voice over Internet Protocol (VoIP) and analytical applications are vulnerable to the poisoning attack. Authentication servers, back-end databases and even service-oriented architectures (SOA) are at risk since they are directed by DNS, even though they may be behind a firewall.

Black Hat 2008 Visit our extensive news coverage of Black Hat 2008. Exclusive photos of Black Hat 2008. Mozilla to release Firefox threat-modeling data: The Mozilla Foundation's security chief says it will soon publicly release threat-modeling data for the next version of the Firefox Web browser. Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time. Hoffman to demonstrate new hacking techniques Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis.

"There's a reason why so many people had so many things to speculate about, because there's a ton of different paths that lead to doom," Kaminsky said.

IT administrators had a good reason to deploy patches quickly, Kaminsky said. An attack can be carried out in seconds by flooding the DNS server with requests until a legitimate answer is received. The technique also involves redirecting the name server to an IP address set up by the attacker, and the use of bailiwick checking to dupe the server into believing the queried domain is legit.

The good news is that 70% of Fortune 500 email servers have been patched, as well as 61% of other servers. Still, more work needs to be done, he said. The vulnerability exposed the degree to which security best practices have been ignored, Kaminsky said. Even if a patch is fully deployed, there are other ways unencrypted IP traffic can be sniffed by an attacker, he said.

"DNS should not have been capable of this much damage," Kaminsky said. "Why was such a stupid simple bug capable of breaking this many things?"

Other attack scenarios make website verification and application updates vulnerable. Kaminsky highlighted the threat to SSL certificates, which are dependent on DNS. He called the certificate system poorly managed and mostly ignored by end users. With an exception to Microsoft updates, many vendor updates are dependent on DNS for verification, he said.

SearchSecurity radio:

Microsoft, Cisco Systems Inc., Internet Systems Consortium Berkeley Internet Name Domain (ISC BIND) and other vendors met at a secret summit in March to figure out how to repair the issue. Ultimately, the vendors agreed to issue a critical design patch that implements port randomization to correct the problem. Instead of randomizing on a transaction ID field of 16 bits, it now randomizes using 27-30 bits, greatly reducing the odds of someone successfully carrying out an attack, Kaminsky said. The session proved that vendors can cooperate despite competition and have a productive result, he said.

"We had a choice back at our summit in March," Kaminsky said. "We could either do point fixes or we could drop the sledge hammer and finally raise the odds from one out of 65,000 to one out of hundreds of millions."

Behind the scenes, DNS vendors and security experts are still racing to come up with a more permanent fix.

Rodney Joffe, senior vice president and senior technologist at NeuStar, a DNS vendor. Joffe sits on the Security and Stability Committee of the Internet Corporation for Assigned Names and Numbers (ICANN), and has worked on DNS security issues for years at ICANN meetings. He said it has been clear behind the scenes of how challenging it is to solve the DNS cache poisoning flaw. Although the current patch solves the problem temporarily, vendors need to push for a more permanent fix, he said.

Joffe is advocating for DNSSEC, a 12-year-old protocol that allows for the trusted signing of DNS answers.

"Over coming months and days it's going to drop down to hours and seconds again for attackers to pull off a successful exploit as they get more bandwidth available," Joffe said. "It's going to be race between getting DNSSEC deployed and getting machines and more bandwidth."

Tags: Web Server Threats and Countermeasures,  Emerging Information Security Threats,  Web Application Security,  Web Services Security and SOA Security,  Web Browser Security,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Server Threats and Countermeasures Microsoft doesn't rule out rushed patch for IIS zero-day vulnerability How do passwordless SSH keys represent an enterprise attack vector? Information security book excerpts and reviews Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Emerging Information Security Threats Leverage Google Attacks to Improve Cybersecurity SCADA system, critical infrastructure security lacking, survey finds Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Information security podcasts: 2009 archive Hathaway calls for international cybercrime task force Active PDF attacks target Reader, Acrobat zero-day vulnerability Sites hit with massive automated SQL injection attack Cybercriminals invest in social networking attacks Best practices for (small) botnets Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary